apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: dexauthenticators.deckhouse.io
  labels:
    heritage: deckhouse
    module: user-authn
spec:
  group: deckhouse.io
  scope: Namespaced
  names:
    plural: dexauthenticators
    singular: dexauthenticator
    kind: DexAuthenticator
    shortNames:
      - dex-auth
  preserveUnknownFields: false
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema: &schema
        openAPIV3Schema:
          type: object
          required:
            - spec
          description: |
            After the `DexAuthenticator` object appears in the namespace, the following objects will be created:
            * Deployment containing oauth2-proxy and redis containers
            * Service, pointing to a Deployment with an oauth2-proxy
            * Ingress, configured to receive requests on `https://<applicationDomain>/dex-authenticator` and send it to a service side
            * Secrets, needed to access Dex

            **NOTE!** After restarting a pod with an oauth2-proxy, the current `access token` and `id token` will be queried (using the refresh token) and stored in a redis memory.
          x-doc-examples:
            - apiVersion: deckhouse.io/v1
              kind: DexAuthenticator
              metadata:
                name: app-name
                namespace: app-namespace
              spec:
                applicationDomain: "app-name.kube.my-domain.com"
                sendAuthorizationHeader: false
                applicationIngressCertificateSecretName: "ingress-tls"
                applicationIngressClassName: "nginx"
                keepUsersLoggedInFor: "720h"
                allowedGroups:
                  - everyone
                  - admins
                whitelistSourceRanges:
                  - 1.1.1.1/32
                  - 192.168.0.0/24
          properties:
            spec:
              type: object
              required:
                - applicationDomain
                - applicationIngressClassName
              properties:
                applicationDomain:
                  type: string
                  description: 'Public domain that points to your application. Must be specified **without** HTTP scheme.'
                  x-doc-examples: ['my-app.domain.com']
                  pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
                sendAuthorizationHeader:
                  type: boolean
                  description: 'Request to application will be sent with "Authorization: Bearer" header when the option is switched to true.'
                applicationIngressCertificateSecretName:
                  type: string
                  description: 'Name of TLS-certificate secret specified in your application Ingress object to add to Dex authenticator Ingress object for HTTPS access. Secret must be located in the same namespace with DexAuthenticator object.'
                  x-doc-examples: ['ingress-tls']
                  pattern: '^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$'
                applicationIngressClassName:
                  type: string
                  description: 'Ingress class that serves your application ingress resource.'
                  x-doc-examples: ['nginx']
                  pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
                signOutURL:
                  type: string
                  description: 'Provide the URL from which requests will be proxied to the Dex authenticator sign out URL.'
                keepUsersLoggedInFor:
                  type: string
                  description: |
                    User session will be kept for specified amount of time even if user will not log in.

                    Specified with  s, m or h suffix.
                  x-doc-examples: ['24h']
                  x-doc-default: '168h'
                allowedGroups:
                  type: array
                  description: |
                    Groups that the user should be in to authenticate successfully.

                    Additionally, this parameter limits the list of groups that will be put into OIDC token (there will be an intersection of the specified groups and the actual groups of the user).
                  x-doc-default: 'All groups are allowed.'
                  items:
                    type: string
                whitelistSourceRanges:
                  type: array
                  description: |
                    CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.
                  x-doc-examples: ['192.168.42.0/24']
                  items:
                    type: string
                    pattern: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$'
                nodeSelector:
                  additionalProperties:
                    type: string
                  x-kubernetes-preserve-unknown-fields: true
                  description: |
                    If specified, the `dex-authenticator` pods `nodeSelector`.

                    If the parameter is omitted or `false`, it will be determined [automatically](https://deckhouse.io/documentation/v1/#advanced-scheduling).

                    **Pattern**: the same as in the pods' `spec.nodeSelector` parameter in Kubernetes;
                  type: object
                tolerations:
                  description: |
                    If specified, the `dex-authenticator` pods `tolerations`.

                    The `dex-authenticator` pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.

                    If the parameter is omitted or `false`, it will be determined [automatically](https://deckhouse.io/documentation/v1/#advanced-scheduling).

                    **Pattern**: Standard [toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) object. Pods inherit this object AS IS.
                  items:
                    properties:
                      effect:
                        description: |
                          Effect indicates the taint effect to match. Empty means match all taint effects.
                        type: string
                        enum: ["NoSchedule", "PreferNoSchedule", "NoExecute"]
                      key:
                        description: |
                          Key is the taint key that the toleration applies to. Empty means match all taint keys.

                          If the key is empty, operator must be Exists; this combination means to match all values and all keys.
                        type: string
                      operator:
                        description: |
                          Operator represents a key's relationship to the value.

                          Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
                        type: string
                        enum: ["Exists", "Equal"]
                        x-doc-default: Equal
                      tolerationSeconds:
                        description: |
                          TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint.

                          By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
                        format: int64
                        type: integer
                      value:
                        description: |
                          Value is the taint value the toleration matches to.

                          If the operator is Exists, the value should be empty, otherwise just a regular string.
                        type: string
                    type: object
                  type: array
      additionalPrinterColumns: &additionalPrinterColumns
        - jsonPath: .spec.applicationDomain
          name: Domain
          type: string
    - name: v1
      served: true
      storage: false
      schema: *schema
      additionalPrinterColumns: *additionalPrinterColumns
